One Encryption Backdoor Is One Too Many

Although the FBI no longer needs to force Apple to unlock an iPhone that belonged to one of the San Bernardino terrorists, the debate must continue. This is too important an issue to let fade from the national discourse until the FBI or any other government agency makes another similar request of any technology developer or provider. Technologically complex topics like encryption and backdoors can be difficult to understand by non-technologists, including those who seek to legislate or adjudicate on the matter. Backdoors undermine the effectiveness of encryption by making it either reversible or otherwise defeatable, thereby eroding any reasonable expectation of privacy. That is why Sophos strongly opposes any future mandate or request to put backdoors or shared keys in our products, or in other solution providers’ software and hardware products. To defend the right to privacy of the law abiding, we must prevent future court decisions or the passage of legislation that will weaken all of our rights to privacy. But we also must identify less societally costly alternatives for law enforcement to employ while working to identify and apprehend terrorists and other criminals. This article identifies such alternatives.

The FBI’s request raised two significant red flags.

First, asking Apple to create a unique piece of firmware that will: a) disable the lockouts, and b) allow passcodes to be entered electronically may sound innocuous. But, if the FBI receives permission for this kind of special firmware, that opens the door for it to request special firmware for whatever purposes it may decide it needs for future cases.

Second, no one can offer a 100 percent guarantee that any one-off decryption key or similar tool will never fall into the wrong hands. As Apple’s Tim Cook warned in his public letter to customers,

“The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

Sophos stands firmly by its position of strongly opposing any mandate or request by any government, intelligence or law enforcement body or business to put backdoors or shared keys in products, based on the following principles:

Encryption protects individuals from identity theft, extortion and political or religious persecution. It protects organizations from industrial espionage and liability for data loss, and ensures the security of commerce. Backdoors in encryption would undermine freedom of speech and the freedom to conduct our affairs without interference or fear.

Strong encryption is essential to the integrity of Internet commerce and banking. Ubiquitous, strong encryption ensures consumer trust by preventing online fraud and theft of financial or personal information. Encryption is a key element of the communications technologies that foster economic growth and expand access to and participation in the global economy. Implementation, enforcement and management of backdoors would be impractical and enormously costly to technology companies, stifling innovation and harming our competitiveness in the global economy.

3. Encryption is essential for effective cybersecurity.

In today’s connected society, even with all the sophisticated technology used to defend against online threats, we will never be secure against cyberattacks without strong encryption. Today’s cyberattacks are becoming more complex, with advanced attackers using multiple points of entry to get around security software. Encryption is the last line of defense in a cybersecurity strategy that requires multiple layers of protection.

4. Governments should not undermine the effectiveness and security of encryption.

Backdoors for some would mean backdoors for all, including repressive regimes, malicious insiders, foreign spies and criminal hackers. Sophos agrees with the world’s leading cryptographers that backdoors in encryption would subvert its effectiveness by introducing enormous risk of security vulnerabilities. Backdoors in reputable commercial software would not prevent bad actors from finding alternative forms of encryption to hide their activities and communications. Recent advances in homomorphic cryptography have produced proposals such as PrivaTegrity from David Chaum, which promises strong encryption that can be reversed only by a specially chosen council of nine. Putting aside the opaque matter of the selection of members of the council, as well as the arguable matter of this possibly only raising the bar for illicit use of the backdoor, there is one simple reason why this is not a solution: you can’t make the bad guys use it. Industry experts and non-experts alike with any capacity for forethought or consideration of consequences have sensibly warned that either outlawing encryption or introducing backdoors will only force criminals and terrorists to create proprietary forms of uncontrolled encryption, subjecting only the law abiding among us to eavesdropping or compromise. We have recently seen evidence of this.

5. Technology companies, academia and governments should work together against terrorism without compromising the security and privacy of all.

We welcome the conversation about encryption and are pleased to help educate legislators and others about the technical issues involved. However, we will stand firm in our conviction that backdoors are not the answer to the problem of bad people doing bad things. Technology companies, academia, governments and law enforcement agencies should work together to find alternative solutions that will improve our collective security without compromising the privacy and integrity of the individual.

The alternatives for investigators

U.S. intelligence and law enforcement communities still hold a common misperception that encryption technologies handicap their investigations. They use the term “going dark” to describe their worries that end-to-end encryption in certain applications and on mobile devices enable terrorists and criminals to conceal their communications from surveillance.

However, that argument falls down when you consider that terrorist organizations and rogue nation states are very sophisticated when it comes to developing and using technology for their evil purposes. There’s nothing to stop them from creating their own encryption technologies that can’t be cracked by law enforcement or tech companies.

Turning the tables

The Berkman Center for Internet & Society at Harvard University recently convened a diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community to examine the enduring problems of surveillance and cybersecurity. The resulting report concludes that forcing technology companies to create backdoors would be a futile effort. (Source: Berkman Center for Internet & Society at Harvard University - PDF)

The report also describes how the rapid evolution of technologies can help law enforcement, even if terrorists try to use encryption. For example, networked sensors and the Internet of Things are projected to grow substantially, which would significantly improve law enforcement’s surveillance efforts. An inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.

Also, consider that metadata is not encrypted, either by design (e.g. any non-HTTPS site), accident (neglect to encrypt payloads), or necessity (e.g. native TCP/IP flow data). This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.

Exploiting vulnerabilities

So long as people write software, or even the software that writes software in the not too distant future, there will be bugs in software to exploit. In the San Bernardino case, the FBI admitted to doing just that. They paid an individual to exploit a vulnerability and now have access to the iPhone in question. While it might seem unorthodox, we do support law enforcement’s exploitation of such defects. However, even though the FBI have classified the method used as a “state secret,” they have yet to decide whether to disclose this vulnerability to Apple. It is likely that at some point the FBI would have to disclose how they obtained the evidence, leaving many iPhones insecure. This remains a concern, so I will caveat my support of this practice only with the following stipulations:

1. Disclose vulnerabilities immediately:Law enforcement must alert a vendor to a bug or other issue it discovers as soon as possible. The time it takes for a vendor to develop and distribute a patch or other fix will provide a sufficient window for investigators. This will also benefit technology providers because this will help us make our products better, and the competition will prevent criminals from exploiting these vulnerabilities.

2. Establish clear rules of engagement:Such exploitation should only be used to obtain that information which the court-issued warrant stipulates. Judicial oversight must ensure the government is fully transparent to the public.

Government agencies must realize that a backdoor for one is a backdoor for all. It violates the public’s trust and can actually enable, not handicap, terrorists. It’s the exact same reason we believe security companies overall should not build backdoors into antivirus software - that would leave hospitals, businesses, banks, and all our other business and consumer customers vulnerable.

The approach instead should be to use technology to collect and analyze the ever-growing volumes of data that terrorists and other criminals create when they use social media networks, instant messaging clients, email, and even online video game chat rooms to communicate and distribute propaganda.

Clearly, strong encryption that cannot be exploited by external or internal actors is a must for any organization. For this reason, Sophos stands firmly by its position of strongly opposing any mandate or request by any government, intelligence or law enforcement body or business to put backdoors of any form into products.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.